Slashdot Mirror
Hackers Steal Data Of 4.5 Million US Hospital Patients
itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.
"The stolen data did not include patient credit card, medical, or clinical information."
That seems to be a rather dubious claim.
Get up!
Yes, but think of all the new medical breakthroughs and publications that will be coming out of China in the next few years. ;-)
What were such systems doing connected to the public internet?
You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).
'Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems.'
..
That would be a msOffice document sent as an email attachment
I guess this needs to be reported, but, is it news anymore?
We are Dead Stars looking back Up at the Sky
I sure hope the hackers comply with HIPAA. They sure will be in a lot of trouble if they don't.
Well, your DIY lobotomy didn't turn out so well.
Table-ized A.I.
I guess this needs to be reported, but, is it news anymore?
Yes. It is huge news for anyone who seeks medical care in the US. Your supposedly confidential records are not confidential. It's criminal and I hope to see everyone responsible for mismanaging medical records prosecuted.
"They used sophisticated malware!"
What a joke. And let me guess, they're offering free credit monitoring for up to a year! It's completely inexcusable that they waited over a month to report this. I hate to see the feds get involved in anything, but this is getting ridiculous. These incidents should result in fines in the tens of millions, minimum. Then they'd take security seriously. Most serious security efforts aren't even all that expensive. It's getting all the people and systems in compliance that's the issue.
We have had a huge amount of government regulation in place for years. This must be lies or a simple misunderstanding.
Scuse me, I think I dropped my sarcasm tag.
The hospital still has the records right? There is no missing property, right?
with the story about 'doctor visits' over Skype, and how many posters were railing against how they were afraid of eavesdropping/decrypting of their Skype conversations. Where are they now! :D
You should have seen him before the lobotomy.
Faster! Faster! Faster would be better!
Their ISP would be more than happy to set up each hospital and office building with a "dedicated virtual circuit", which is basically a VPN handled and enforced by the ISP using their carrier-grade equipment. The ISP will ensure that the black network can't access the internet (and the internet can't access the black network). One thing ISPs can do pretty well is take AWAY your internet access. All systems with confidential data are connected only to tge bkack network, which interconnects the various locations.
You do NOT need each workstation to have general internet access in order to connect them to your (virtual) WAN.
Additionally, the various workstations shouldn't have access to social security numbers anyway, even via the local network. Unless you're the social security administration or the IRS, you probably shouldn't be storing social security numbers. If some specific legacy system really has to have social security numbers, isolate that system behind a one-way trapdoor. It shouldn't have general internet accessibility.
"..ICE patterns formed and reformed on the screen as he probed for gaps, skirted the most obvious traps, and mapped the route he'd take through Sense/Net's ICE. It was good ICE. Wonderful ICE... ...His program had reached the fifth gate. He watched as his icebreaker strobed and shifted in front of him, only faintly aware of his hands playing across the deck, making minor adjustments. Translucent planes of color shuffled like a trick deck. Take a card, he thought, any card.
The gate blurred past. He laughed. The Sense/Net ice had accepted his entry as a routine transfer from the consortium's Los Angeles complex. He was inside. Behind him, viral subprograms peeled off, meshing with the gate's code fabric, ready to deflect the real Los Angeles data when it arrived."
William Gibson
Faster! Faster! Faster would be better!
Ha ha ha, I haven't been to the doctor in over 5 years. Joke's on you, bitches. Technically I worked at a hospital though.
Your supposedly confidential records are not confidential.
My name, address, and phone number are already public information, and in the phone book. The only "confidential" information they got was the SSN, and that should be fixed by making it illegal to use SSNs as authentication. I am required to disclose my SSN to employers, contractees, financial institutions, creditors, etc. It is ridiculous to then assume that mere knowledge of my SSN is "proof" that I am me.
Disclosure: I'm a professional Penetration Tester
We find plenty of this sort of setups at our customers. Customers set up VPNs, have a password policy and a virus scanner. They have firewalls and keep user policies restricted. Then we come and we trojan someone, or find a weak WiFi password or whatever we use to get a foothold inside their network all it takes is one little mistake and we're "in". Once we get there, we log keyboards, get password hashes from network or system memory and start to pivot all over the place. Usually, our software will trigger virus alerts, but staff doesn't react to those "in a timely fashion" and we get to keep going even though alarms are going off on several computers. We could cloak our malware and sometimes we do, but usually it's too much trouble and we get domain admin passwords within a few days and rule the network in such a way that admins wouldn't be able to get rid of us if we would rootkit and backdoor properly.
It takes more than some policies and a VPN these days. You need IDS, proper procedures, layered security and skilled, motivated staff that knows how to deal with security incidents. You need properly trained and aware users that aren't afraid to admit they messed up and that have no problem reporting others doing wrong either. Don't trust on a single technical measure, but implement them all and make sure you test and train on a regular basis. Get a data classification policy and protect data according to that policy. That means that stuff like SSNs and anything that can be used for identity theft should get extra layers of protection and alerting implemented. If you don't do all this, a serious intruder will usually get what they want.
I was promised a flying car. Where is my flying car?
contractees should be given an EIN not a SSN.
Before? You mean her.
Table-ized A.I.
How dare you say that! We've been more inept for much longer than the USians. We'd make sure that a random doctor loses his unencrypted laptop with all the data on it.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Here's the list of Community Health Systems locations in case you've been to the hospital recently. Fortunately they don't have any in our area.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Given that the hospital's information is shared with all sorts of insurers, coding and transcription services, government agencies, services that comb the records looking for more insurance claims or more profitable claims, and so on, I have to say that these guys came really late to the party.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Disclaimer... i worked at CHS for a few years in the engineering department....there was a separate department responsible for security and theoretically they were the ones responsible make making sure that everyone was following proper security standards...
...but the catch, is that they really weren't. The organization regularly used open shares because that's what the "applications" required. One app in particular was called ProMED. during the time I was there, this app was loaded in almost every Emergency Department. The way it worked was that the promed server (a physical windows server housed inside the hospital) had a 100% open share (everyone read/write/modify). the computers around the ER would then be logged into by users and the entire application would copy to the workstations and then write logs and other crap directly back to the open. The actual patient data was written to the server using an app specific user/pass for each user, so the user still had to authenticate to get into promed. To make things even worse, the promed server service accounts used the same password in all of the hospitals and were set to auto-login, because that was the only way that the application would launch. if you RDP'ed into one of the servers as your own account, it would hose that hospital's ER workstations because the application would kill itself and then relaunch using your own credentials........what? further, since they were using open shares (that we in engineering constantly told them were bad), they had problems for YEARS with worms spreading. What were we told when we told them that they couldn't have open shares? that this was the software we were going to use and that there was nothing we could do about the open shares since the vendor wouldn't support their software in any other configuration.
shall we dig deeper? sure!
workers at CHS are so underpaid that it doesn't shock me at all that no one gave a shit. I know that I didn't when I was there. I gave my 40 hours every week and got out. the good ole boy system is alive and well at CHS. there was an official procedure to do everything, which DID entail including someone from the TAVM and security teams to evaluate new hospital apps, but if whoever the app owner was was connected well enough, they could implement whatever they wanted.... a complete end-around of any red-tape.
i haven't heard from any of my friends that still work there, so I don't know which applications were actually hacked. my bet is that the 4.5 million is an overstatement. CHS isn't cohesive enough to have the all same apps deployed in all of their hospitals...most apps only had about 20-25% penetration of their hospiatls. ProMED is the only one that I'm aware of that was actually deployed that widespread. They were also working on using the Cerner suite of apps to replace several of the other apps, like HPF and Meditech...they were actually talking about using it to replace ProMED at one point. I'm unsure of that the newly acquired HMA hospitals were using. Last year, CHS purchased 80 or so hospitals from a company called HMA, based out of florida.
What you say is true, but it's funny in a way that reminds me of something I'd do.
Ac: They shouldn't be connected to the internet.
-> Sarten-X: They need to be connected to the internet in order to be connected to each other.
-> raymorris: They can be connected to each other without being connected to the internet.
-> dutchwhizzman: Paragraphs of unrelated commentary
All someone needs is your name, address, SSN, and birthdate and they can use your identity to open a credit card in your name*. Trust me, I know this from personal experience. If the thieves hadn't paid for rapid delivery of the credit card and THEN changed the address on the card, the card would have been delivered to them, not me. I wouldn't then have realized what was up until the collection agencies were banging down my door and my credit rating was in shambles. Instead, I was able to cancel the card though now my credit file is frozen to prevent future lines of credit being opened (since my information is already out there).
I'll agree that it's ridiculous that address/SSN/DOB are used as the secret key to your credit account. Unfortunately, that's the way things are and until they change this breach means millions of patients are at risk for identity theft.
* As an aside, that mother's maiden name "security" question on the forms? Let's just say that the TSA provides more security than this does. The thieves got it obviously wrong and the credit card was still approved by Capital One.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Our gov't allowed SSNs to be used in all sorts of capacities since, I think the 1980's. I still have my SSN card which says "Not for Identification" - yeah...that old...issued in the 60's. Congress changed the rules and put us all in jeopardy by allowing SSNs to be used as a personal identifier.
How pervasive is it?
Want to write a letter to a military service member? Well, don't forget to add their SSN to the address. The military now uses SSN as the service number...it's in printed on the envelop of every letter to every military member.
Are you a student? It's likely your student identification number.
Shopping at the grocery store? Just you wait for them to ask for it...it's coming.
Hospitals do need the SSN because they become creditors and may need to supply information for disability and death claims. But, why is it needed as a patient identifier? Billing should be separate from patient records.
What we really need is a something like OAutht access to our record (which should be encrypted). Granting access to this data should also require 2 factor authentication at the very least. The encryption keys should be kept in another secure system requiring extreme protocols to obtain a single one.
Who should maintain the patient id and records databases? Who should maintain the keys to access the encrypted data? Not sure. But, whoever figures it out and implements it is going to make a fortune.
It's either insecure systems or human error, or a combination of both that allowed this breach in my opinion. Why oh why most (not all) IT companies use the lowest common denominator or put things in for "ease of use" instead of "security" ? Folks need to start standing up to these sociopaths (the non-technical people in control) and set things up like they should be - SECURE.
They should be using locked down, secure systems (IBM Mainframes with security systems on top?) and two factor authentication. Does it make it a bit harder for the mouth breathers to log in? Perhaps. But I'd take that over these constant breaches we seem to be having. Fine the companies into the ground to the point that they have to go out of business (or have another company perhaps take them over so the actual healthcare WORKERS (not CEOs and other overpaid folks) keep their jobs).
Perhaps I'm rambling a bit but I hope you get my point.
Cheers,
Miser
just another boogie man to add to the list when the current terrorist hysteria doean'st work anymore. We need to lock down the nation so those Chinese hackers can't steal your computer souls. Forget the fact that some idiot let the computers get infected with malware in the first place...
How do you know it was Chinese, just because it came form an IP originating in China?
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
How is it possible for those storing so much private data to have such weak security? Where is the responsibility for protecting this data?
Sadly, we live in a world where privacy and security has been given up by most and those that try to protect their personal data are treated as paranoid. Governments are moving closer to criminalising the use of encryption to protect data because it inconveniences their own spying efforts. Smartphone apps full of adware and spyware have become generally accepted, even though both would have been detected by antivirus software not that long ago. The new generation of IT professionals seem to have been caught up in this relaxed approach to data security.
Cybercrime is a massive growth industry, through selling stolen data, rasomware, identity theft, fraud, etc. The bottom line is that you should not really trust anyone with your personal data.
* As an aside, that mother's maiden name "security" question on the forms? Let's just say that the TSA provides more security than this does.
Mother's maiden name is a terrible security question anyway. It's often quite easy to find that data by checking geneology sites like Ancestry.com, or by the judicious use of Google. Marriage and funeral notices often include members of the entire family, and their relationships.
Not to mention the many "people finder" type sites that will sell you all the personal information you could hope for on a person for a nominal fee.
Given my experience, thieves don't need to go that far. The people who stole my identity used a completely and utterly incorrect Mother's Maiden Name and were still approved. (They also tried to immediately change the address on the card and get a $5,000 cash advance before it was activated. None of these things raised red flags, apparently.)
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
That sounds circular and crazy; he needs an EIN to be safe, but according to you he doesn't need one because of [unrelated reasons].
No, really man. Contractors with no employees should be giving out an EIN, not a SSN. They are free and you're allowed to have them. And they cannot be used for credit applications, only for tax reporting.